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Abstract : This paper is concerned with the foundations of the Calculus 
of Algebraic Constructions (CAC), an extension of the Calculus of Construc- 
tions by inductive data types. CAC generalizes inductive types equipped with 
higher-order primitive recursion, by providing definitions of functions by pattern- 
matching which capture recursor definitions for arbitrary non-dependent and 
non-polymorphic inductive types satisfying a strictly positivity condition. CAC 
also generalizes the first-order framework of abstract data types by providing 
dependent types and higher-order rewrite rules. 

1 Introduction 

Proof assistants allow one to build complex proofs by using macros, called tactics, 
which generate proof terms representing the sequence of deduction rules used 
in the proof. These proof terms are then "type-checked" in order to ensure the 
correct use of each deduction step. As a consequence, the correctness of the 
proof assistant, hence of the verification itself, relies solely on the correctness of 
the type-checker, but not on the tactics themselves. This approach has a major 
problem: proof objects may become very large. For example, proving that 0+100 
equals its normal form 100 in some encoding of Peano arithmetic will generate 
a proof of a hundred steps, assuming + is defined by induction on its second 
argument. Such proofs occur in terms, as well as in subterms of a dependent 
type. Our long term goal is to cure this situation by restoring the balance 
between computations and deductions, as argued in [14] . The work presented in 
this paper intends to be a first important step towards this goal. To this end, we 
will avoid encodings by incorporating to the Calculus of Constructions (CC) [9] 
user-defined function symbols defined by sets of first and higher-order rewrite 
rules. These rules will be used in conjunction with the usual proof reduction 
rule that reduces subterms in dependent types: 
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of Education, Science and Culture of Japan, and the Oogata-kenkyuu-jyosei grant of Keio 
University. 
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Since the pioneer work by Breazu-Tannen in 1988 [5] on the confluence of the 
combination of the simply-typed A-calculus with first-order algebraic rewriting, 
soon followed, as for the strong normalization, by Breazu-Tannen and Gallier [6] 
and, independently, by Okada [21] . this question has been very active. We 
started our program at the beginning of the decade, by developing the notion 
of abstract data type system [18] , in which the user defined computations could 
be described by using rewrite rules belonging to the so-called General Schema, 
a generalization of higher-order primitive recursion. This work was done in the 
context of a bounded polymorphic type discipline, and was later extended to 

cc pp. 

In [4], we introduced, in the context of the simply-typed A-calculus, a new 
and more flexible definition of the General Schema to capture the rewrite rules 
defining recursors for strictly positive inductive types [10] . problem left open 
in [18] . In this paper, we similarly equip CC with non-dependent and non- 
polymorphic inductive types, and first and higher-order rewriting. Our main 
result is that this extension is compatible with CC. 

In [10] . strictly positive inductive types can be dependent and polymorphic. 
Hence, further work will be needed to reach the expressive power of the Calculus 
of Inductive Constructions [22 , implemented in the Coq proof assistant [3] , all 
the more so since it handles strong elimination, that is the possibility to define 
types by induction. But our new General Schema seems powerful and flexible 
enough to be further extended to such a calculus, hence resulting in to a simpler 
strong normalization proof. 

As a consequence of our result, it will become possible to develop a new 
version of the Coq proof assistant, in which the user may define functions by 
pattern-matching and then develop libraries of decision procedures using this 
kind of functional style. Ensuring the consistency of the underlying proof theory 
requires a proof that the user-defined rules obey the General Schema, a task 
that can be easily automated. Note also that, since most of the time, when 
one develops proofs, the efficiency of rewriting does not really matter, the type- 
checker of the proof development system can be kept small and not too difficult 
to certify, hence conforming to the idea of relying on a small easy-to-check kernel. 



2 Definition of the calculus 

2.1 Syntax 

Definition 1 (Algebraic types) Given a set S of sorts, we define the sets T$ 
of algebraic types: 

s := s | (s— >s) 

where s ranges over S and—* associates to the right such that s±— > (s2 — >Ss) can 
be written s± — > §2 — > S3. An algebraic type si — > . . . — > s n is first-order if each Sj 
is a sort, otherwise it is higher-order. 
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Definition 2 (Constructors) We assume that each sort s has an associated 
set C(s) of constructors. Each constructor C is equipped with an algebraic type 
r(C) of the form s\ s n — ► s; n is caZZed i/ie arity o/ C, and s its output 

type. We denote by C n the set of constructors of arity n. 

A constructor C is first-order if its type is first-order, otherwise it is higher- 
order. Constructor declarations define a quasi- ordering on sorts: s >s t if and 
only if ' t occurs in the type of a constructor belonging to C(s). In the following, 
we will assume that >$ is well-founded, ruling out mutually inductive sorts. 

Definition 3 (Algebraic signature) Given a non empty sequence s\, . . . , s n ,s 
of algebraic types, we denote by T ~ s Sn s the set of function symbols of arity 
n, of type t(/) = Si s n — » s and of output type s. We will denote 

by T n the set of function symbols of arity n, and by T the set of all function 
symbols. Function symbols with a first- order (resp. higher-order) type are called 
first-order (resp. higher-order J. 

Here are familiar examples of sorts and functions: 

(i) the sort bool of booleans whose constructors are true : bool and false : 
bool; if t of arity 3 is a defined function of type bool for any 
algebraic type t; 

(ii) the sort nat of natural numbers whose constructors are : nat and 
s : nat — > nat; + of arity 2 is a defined function of type nat -^nat — >nat; 

(hi) the sort list t of lists of elements of an algebraic type t whose construc- 
tors are nil t : list t and cons t : t — > list t — > list t ; append t of arity 2 is a 
defined function of type listt — > listt — > listt, while map t v of arity 2 is a 
defined function of type (t — > t') — ► list t — > listf; 

(iv) the sort ord of ordinals whose constructors are or d : ord, s ord : ord — > 
ord and lim ord : (nat — > ord) — > ord. 

Definition 4 (Terms) The set Term of CAC terms is inductively defined as: 

a := x | s | * | □ | Xx:a.a | Ux:a.a \ (a a) \ C(ai, . . . , a n ) \ f(ai, . . . , a n ) 

where s ranges over S, C over C n , f over T n and x over Var, a set of variables 
made of two disjoint infinite sets Var D and Var* . The application (a b) asso- 
ciates to the left such that (a\ 02) 03 can be written a\ a-i 03. The sequence of 
terms a\. . .a n is denoted by the vector a of length \a\ = n. A term C(a) (resp. 
f{a)) is said to be constructor headed (resp. function headed,). 

After Dewey, the set Pos(a) of positions in a term a is a language over the 
alphabet IN + of strictly positive natural numbers. Note that abstraction and 
product have two arguments, the type and the body. The subterm of a term a 
at position p e Pos(a) is denoted by a\ p and the term obtained by replacing a\ p 
by a term b is written a[b] p . We write a > b if b is a subterm of a. 

We note by FV(a) and BV(a) the sets of respectively free and bound vari- 
ables occurring in a term a, and by Var(a) their union. By convention, bound 
and free variables will always be assumed different. As in the untyped A-calculus, 
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(ax) 
(sort) 

(var) 
(weak) 
(cons) 
(fun) 
(abs) 
(app) 

(conv) 
(prod) 



Figure 1: Typing rules of CAC 
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terms that only differ from each other in their bound variables will be identified, 
an operation called a-conversion. A substitution 8 of domain dom(9) = {x} is 
written {x i— ► 6}. Substitutions are written in postfix notation, as in a#. 

Finally, we traditionally consider that (b a), Xx:a.b and Tlx:a.b, denote all 
three the term b if a is the empty sequence, and the respective terms (. . . ((b ai) 02) 
. . . a n ), \x\ : a\.{Xx2 '■ a-2-{- ■ ■ {Xx n : a n .b) . . .)) and Tlxi : ai.(IIx2 : a-2-{- ■ ■ ijlx n : 
a n .b) . . .)) otherwise. We also write a— >6 for the term Hx:a.b when x $ FV(b). 
This abbreviation allows us to see algebraic types as terms of our calculus. 

2.2 Typing rules 

Definition 5 (Typing rules) A declaration is a pair x:a made of a variable 
x and a term a. An environment r is a (possibly empty) ordered sequence of 
declarations of the form xi'.ai, . . . ,x n :a n , where all Xi are distinct; dom(T) = 
{xi, . . . , x n } is its domain, FV(T) = \J x . aer FV(a) is its set of free variables, 
andT(xi) = a t . A typing judgement is a triple T F a:b made of an environment 
r and two terms a, b. A term a has type b in an environment T if the judgement 
r F a : b can be deduced by the rules of Figure [H An environment is valid if * 
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can be typed in it. An environment is algebraic if every declaration has the form 
x:c, where c is an algebraic type. 

The rules (sort), (cons) and (fun) are added to the rules of CC [9]. The (conv) 
rule expresses that types depend on reductions via terms. In CC, the relation 
used in the side condition is the monotonic, symmetric, reflexive, transitive 
closure of the /3-rewrite relation (Ax: a. b) c — >^ b{x^c}. 

In our calculus, there are two kinds of computation rules: (3- (or proof-) 
reduction and the user-defined rewrite rules, denoted by — > R . This contrasts 
with the other calculi of constructions, in which the meaning of (conv) is fixed 
by the designer of the language, while it depends on the user in our system. 
The unusual form of the side condition of our conversion rule is due to the fact 
that no proof of subject reduction is known for a conversion rule with the more 
natural side condition b< — ^pj^b'. See pQ for details. 

The structural properties of CC are also true in CAC. See [1] and [2] for 
details. We just recall the different term classes that compose the calculus. 

Definition 6 Let Kind be the set {K G Term \ BT, T h K: □} of kinds, Constr 
be the set {T G Term | 3T, 3K G Kind, T h T:K} o/type constructors, Type be 
the set {t G Term \ 3T, T h r :*} of types, Obj be the set {u G Term | 3T, 3t G 
Type, r h u:t} of objects, and Thm be the set Constr U Kind of theorems. 

Lemma 7 Kinds, type constructors and objects can be characterized as follows: 

• K := * | Ux-.t.K | Tla.K.K 

• T := s | a | IIx:t.t | Tla.K.T | \x:t.T | \a:K.T | (T u) \ (T T) 

• u := x C(u\, . . . , u n ) | f{u\, . . . , u n ) | Xx:t.u | Xa:K.u (u u) (u T) 
where a 6 Var D and x G Var* . 

2.3 Inductive types 

Inductive types have been introduced in CC for at least two reasons: firstly, to 
ease the user's description of his/her specification by avoiding the complicated 
impredicative encodings which were necessary before; secondly, to transform in- 
ductive proofs into inductive procedures via the Curry-Howard isomorphism. 
The logical consistency of the calculus follows from the existence of a least fix- 
point, a property which is ensured syntactically in the Calculus of Inductive 
Constructions by restricting oneself to strictly positive types |10j . 

Definition 8 (Positive and negative type positions) Given an algebraic type 
s, its sets of positive and negative positions are inductively defined as follows: 

Pos+ (s G S) = e Pos- {s G S) = 

Pos+{s-+t) = l-Pos-(s) U 2-Pos+(t) Pos-(s^t) =l-Pos+(s) U 2-Pos~{t) 

Given an algebraic type t, we say that s does occur positively in t if s occurs 
in t, and each occurrence of s in t is at a positive position. 

Definition 9 (Inductive sorts) Let s be a sort whose constructors are C\, . . . , 
C n and suppose that Ci has type s\ s l n . — ► s . Then we say that: 
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(i) s is a basic inductive sort if each is s or a basic inductive sort smaller 
than s in 

(ii) s is a strictly positive inductive sort if each s* is either a strictly positive 
inductive sort smaller than s in <£, or of the form s'i — >. . .— *s' p — * s where each 
s' k is built from strictly positive inductive sorts smaller than s in <$. 

In the following, we will assume that every inductive sort of a user specifica- 
tion is strictly positive. 

The sort nat whose constructors are : nat and s : nat — > nat is a basic 
sort. The sort ord whose constructors are or d : ord, s ord : ord — > ord and 
lim ord : (nat — > ord) — > ord is a strictly positive sort, since ord >$ nat. 

Definition 10 (Strictly positive recursors) Let s be a strictly positive in- 
ductive sort generated by the constructors Ci, ... ,C n of respective types s\ — > 
. . .— ►sj,. — ► s. T/ie associated recursor rec\ of algebraic output type t is a func- 
tion symbol of arity n+1, and type s — » ti — > . . . — » i„ — > t where U = s\ — » . . . — > 
sjj. —► s^{s !—»•£}—»■...—► sjj. {si— »•*}—» t. is defined by the rewrite rules: 

redl(Ci(d),b) — ► bid d where 

dj = aj if s is not in s\ , otherwise ■ — s[ — > . . . — > s' — > s and 
= Aa;:s'{s i— > i).rec\(aj x,b). 

Via the Curry-Howard isomorphism, a recursor of a sort s corresponds to the 
structural induction principle associated to the set of elements built from the 
constructors of s. Strictly positive types are found in many proof assistants based 
on the Curry-Howard isomorphism, e.g. in Coq [3]- Here are a few recursors: 

r e4 00l (true,ix,u) — > u rec£ at (0, u, v) — > u 
rec booi( false : u > w ) — > v r ec* at (s(n),'u,u) — > v n rec* at (n, u,v) 

rec* rd (0 O rd, u,v,w) — > u 
rec* rd (s ord (n), u, v, w) — ► v n rec* rd (n, u, v, w) 
rec ord (lim ord (/), u, v, w) — ► w f Xn: nat.rec* rd (/ n, U, v, w) 

rec t>ooi i s if* j an d rec nat i s Godcl's higher-order primitive recursion operator. 
2.4 User-defined rules 

First, we define the syntax of terms that may be used for rewrite rules: 

Definition 11 (Rule terms) Terms built up solely from constructors, function 
symbols and variables of Var* , are called algebraic. Their set is defined by the 
following grammar: 

a := x* | C(oi, . . . , a n ) | f(ax, ...,a n ) 

where x* ranges over Var* , C over C n and f over T n . An algebraic term is first- 
order if its function symbols and constructors are first- order, and higher-order 
otherwise. Thf.se^ r^e.^rns^jf^^ by thgjyll^ng _ grammar: 
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where x* ranges over Var* , s over T$, C over C n and f over T n . A rule term 
is first-order if it is a first-order algebraic term, otherwise it is higher-order. 

Definition 12 (Rewrite rules) A rewrite rule is a pair I — ► r of rule terms 
such that I is headed by a function symbol f which is said to be defined, and 
FV(r) C FV(l). Given a set R of rewrite rules, a term a rewrites to a term b 

at position m £ Pos(a) with the rule I ► r G R, written a >^ b if a\ m = 16 

and b — a[r9] m for some substitution 6. 

A rewrite rule is first-order if I and r are both first-order, otherwise it is 
higher-order. A first-order rewrite rule I — ► r is conservative if no (free) vari- 
able has more occurrences in r than in I . The rules induce the following quasi- 
ordering on function symbols: f >jr g iff g occurs in a defining rule of f . 

We assume that first-order function symbols are defined only by first-order 
rewrite rules. Of course, it is always possible to treat a first-order function 
symbol as an higher-order one. Here are examples of rules: 

if t (true,u,t>) — ► u map tt ,(/,nil t ) — ► nil t / 

if t (false, u,v) — ► v map t t ,(/, cons t (x, I)) — ► cons t /(/ x, map M , (/, I)) 

+(x, 0) > x ack(0,y) — > s(y) 

+ (x.s(yj) — > s(+(x, y)) ack(s(a;),0) — ► ack(x,s(0)) 

+(+{x,y),z) — > +(x,+(y,z)) ack(s(x), s(y)) — > ack(x, ack(s(x), y)) 

Having rewrite rules in our calculus brings many benefits, in addition to 
obtaining proofs in which computational steps are transparent. In particular, it 
enhances the declarativeness of the language, as examplified by the Ackermann's 
function, for which the definition in Coq [Hj must use two mutually recursive 
functions. For subject reduction, the following properties will be needed: 

Definition 13 (Admissible rewrite rules) A rewrite rule I — ► r, where I is 
headed by a function symbol whose output type is s, is admissible if and only if 
it satisfies the following conditions: 

• there exists an algebraic environment T; in which I is well-typed, 

• for any environment T, r h i:s Thr:s. 

We assume that rules use distinct variables and note by Tr the union of the T; 's. 

2.5 Definition of the General Schema 

Let us consider the example of a strictly positive recursor rule, for the sort ord: 

rec* rd (lim ord (/),M, v, w) > w f An:nat.rec^ rd (/ n, u, v, w) 

To prove the decreasingness of the recursive call arguments, one would like to 
compare lim or d(/) with /, and not lim or< j(/) with (/ n). To this end, we 
introduce the notion of the critical subterm of an application, and then interpret 
a function call by the critical subterms of its arguments. Here, / will be the 
critical subterm of (/ n), hence resulting in the desired comparison. 
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Definition 14 (r,,s-critical subterm) Given an algebraic type s and an envi- 
ronment T, a term a is a r,s-term if it is typable in T by an algebraic type in 
which s occurs positively. A term b is a r,s-subterm of a term a, a > r)S b, if b 
is a subterm of a, of which each superterm is a T,s-term. Writing a Y,s-term a 
in its application form a\ . . .a n , where a\ is not an application, its r,s-critical 
subterm ^(a) is the smallest T,s-subterm a\ . . . afc (see Figure^). 

For a higher-order function symbol, the arguments that have to be compared 
via their critical subterm, are said to be at inductive positions. They correspond 
to the arguments on which the function is inductively defined. Next, we define 
a notion of status that allows users to precise how to compare the arguments 
of recursive calls. Roughly speaking, it is a simple combination of multiset and 
lexicographic comparisons. 

Definition 15 (Status orderings) A status of arity n is a term of the form 
lex(ti, . . . ,t p ) where U is either Xj for some j £ or a term of the form 

mul(xki, ■ ■ ■ ,Xk q ) such that each variable Xi, l<i<n, occurs at most once. A 
position i is lexicographic if there exists j such that tj = Xi- A status term is a 
status whose variables are substituted by arbitrary terms of CAC. 

Let stat be a status of arity n, I be a subset of the lexicographic positions of 
stat, called inductive positions, S — {> l }iei a set of orders on terms indexed 
by I, and > an order on terms. We define the corresponding status ordering, 
>s tat on sequences of terms as follows: 

• (ai, ...,a n ) > s stat (61, ...,6„) iff stat{x^a} >f tat stat{x^b}, 

• lex(cx,. . ., c p ) >L (tl! ._ tp) lex(di,, . .,d p ) iff(c 1: . . ., c p ) (>g ,. . ., >f p ) lex (di,. . .,d p ) 

• >f. is > l if i € /, otherwise it is >, 

• mul(a, ...,Cg) >mui{x kl ,...,x kq ) mul(dx, ...,d q ) iff{c\, ...,c q } > m ui{di, ■ ■ - ,d q }. 
Note that it boils down to the usual lexicographic ordering if stat = lex(xi, . . . , x n ) 
or to the multiset ordering if stat = lex(mul(xi, . . . ,x n )). >f tat is well-founded 
if so is > and each > l . 

For example, let > and >~ be some orders, stat = lex(x2,mul(xi,x 3 )), I = 
{1}, and S = O). Then, (ax, 03,03) >f ta t {h,ks,h) iff a 2 >~ 62, or else a 2 = b 2 
and {01, a 3 } > mu i {61,63}- 

Definition 16 (Critical interpretation) Given an environment T, the criti- 
cal interpretation function r of a function symbol f £ T S1 Sn s is: 

• </>/, r (ai, ■ ■ ■ ,On) = (0/, r ( a l): ■ ■ ■ ^f, r ( a n)), 

• ^/,r( aj ) = ^*( a ifi e Ind(f). 

The critical ordering associated to f is >/, r = t>statt> where S — ( Cj,. Si )ieind(f)- 

According to Definition 1151 the critical ordering is nothing but the usual 
subterm ordering at non-inductive positions, and the critical subterm ordering 
of Definition Q3] at inductive positions. 
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Figure 2: Critical subterm 

We are now ready for describing the schema for higher-order rewrite rules. 
Given some lefthand side rule, we define a set of acceptable righthand sides, 
called computable closure. In the next section, we prove that it preserves strong 
normalization. 

Definition 17 (Accessible subterms) A term b is said to be accessible in a 
well-typed term c if it is a subterm of c which is typable by a basic inductive sort, 
or if there exists p £ Vos(c) such that cL = b, and Vg < p, c\ q is headed by a 
constructor, b is said to be accessible in c if it is so in some c £ c. 

Definition 18 (Computable closure) Given an algebraic environmentT con- 
taining Tr and a term /(c) typable in V, the computable closure CC/,r(c) of f(c) 
in r is defined as the least set of Y-terms containing all terms accessible in c, 
all variables in dom(T) \ FV{c), and closed under the following operations: 

(i) constructor application: let C be a constructor of type S\ s n — » s; 
then C(u) £ CC/ j r(c) iff Ui : Sj £ CCfp(c) for all i £ [l..n], 

(ii) defined application: let g £ T s s t such that g <jr f ■ then g(u) £ CCf t r(c) 
iff Ui : Si £CC/ j r(c) for alii £ 

(Hi) application: letu:8—*t £CCfj~(c) andv.s £CC/ i r(c); then (uv) £CC/ i r(c), 

(iv) abstraction: let u £ CCf t r(c) and x : s £ V; then Xx:s.u £ CCf^ifi), 

(v) reduction: let u £ CC/ i r(c), and v be a reduct of u using a (3-rewrite step or 
a higher-order rewrite rule for a function symbol g <jr f; then v £ CCfp(o), 

(vi) recursive call: let d be a vector of n terms in CC/ jr (c) of respective types 
s\, ... ,s n> such that <f>f r {c) = c >f, r 4>t r (c')/ then f(c') £ CCf <r (c). 

A useful finite approximation of this infinite set is defined by the Coquand's 
notion of structurally smaller [7], where only cases (i), (iii), (v) (one /3-step 
only) and (vi) are used, with a multiset status which forbids the use of nested 
recursions. Our definition is therefore richer for two independent reasons. Note 
further that Coquand restricts himself to the cases for which his ordering is 
well-founded, a property that we think related to the positivity condition. 

This can also be compared with the current criterion used in Coq for accept- 
ing function definitions by fixpoint and constructor matching [11J . Functions 
are defined by induction on one argument at a time, this argument must be 
constructor headed, and recursive calls can be made only with its immediate 
subterms. We are now ready for defining the schema: 

Definition 19 (General Schema) A set R of rewrite rules satisfies the Gen- 
eral Schema if 
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(i) its first- order part is conservative and strongly normalizing, 

(ii) each higher- order function f £ F S i,...,s n ,t is defined by a set of admissible 
rewrite rules of the form f(c) — > e such that e G CCf^{c) for some algebraic V 
containing Tr (the environment in which the rules of R are defined). 

All pattern-matching definitions given so far satisfy the General Schema, in- 
cluding the first-order ones. We could have imposed that the first-order rules 
also satisfy the General Schema: this would have simplified our definition, but 
at the price of restricting the expressivity for the first-order rules. In our for- 
mulation, the strong normalization property of the first-order rules has to be 
proved beforehand. Tools exist that do the job automatically for many practical 
examples. Note that recursor rules of any strictly positive inductive type satisfy 
the General Schema: 

Lemma 20 The recursor rules for strictly positive inductive sorts satisfy the 
General Schema. 

2.6 CAC computations 

Definition 21 (Reduction relation) Given a set R of rewrite rules satisfy- 
ing the General Schema, including the set Rec of recursor rules of a given user 
specification, the CAC rewrite relation is — ► = — U — > R . The CAC reduc- 
tion relation is its reflexive and transitive closure denoted by — >* . Its transitive 
closure is denoted by — > + . Its reflexive, symmetric and transitive closure is de- 
noted by < — ►*. A term is in normal form if it cannot be (3-reduced, Rec-reduced 
or R-reduced. An expansion is the inverse of a reduction: a expanses to b if b 
reduces to a. 

Our calculus enjoys the subject reduction property, that is, preservation of 
types under reductions. The proof uses a weak version of confluence, see pQ. 

Full confluence is proved after strong-normalization, by using Newman's 
Lemma, and by assuming there are no critical pairs between any two higher- 
order rules, and between the higher-order rules, the first-order rules and the 
/3-reduction rule (by considering that the abstraction is an unary function sym- 
bol, and the application a binary one). 

3 Strong-normalization 

A term is strongly normalizable if any reduction issuing from it terminates. 
Strong-normalization and confluence together imply the logical soundness of the 
system as well as the decidability of type-checking. In this section, we investigate 
only the former. Let SN be the set of strongly normalizable terms. 

To prove the strong normalization property for well-typed terms, we use the 
well known proof technique of Girard dubbed "reducibility candidates" [T7] , fur- 
ther extended by Coquand and Gallier to the Calculus of Constructions [5] . Note 
that these proofs use well-typed candidates, that is, sets of well-typed terms. 
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There exists proofs with lighter notations based on untyped candidates [TB] , but 
which do not allow one to reason about the type of the elements of a reducibil- 
ity candidate, as it will be necessary to do with our extension of the General 
Schema. For a comprehensive survey of the method, see [T5] . 

The strong normalization proof of Coquand and Gallier can easily be tailored 
to our need. It suffices to define an adequate interpretation for the inductive 
types, and to prove that, if the arguments of a function call belong to the inter- 
pretation of their type, then the function call itself belongs to the interpretation 
of its output type. We recall the definitions that are necessary for the under- 
standing of our extension, and refer the reader to [5] for a complete exposition. 

3.1 Interpretation of theorems 

Definition 22 (Reducibility candidates) We define the set Neutr of neutral 
terms as being the set of terms that are not an abstraction or constructor headed. 
Let T a ,a = {A' h a | A' h a:A, A' D A}, SN a .a = {A' hae 7a, a \ a G SN}. 

Given a valid environment A, the family C of saturated sets Ca,a where A is 
a A-theorem, is defined by the properties listed below. 

1. If A = □, then Ca,a is the set {SNa,o}- 

2. If A is a A-type or a A-kind, then Ca,a is the set of non empty sets S C 
SNa,a such that the following properties hold: 

(51) SD {A' h xa G T A<A | x G Var and a G SN}. 

(52) For every neutral term t such that A' h t G T~a,a, if, for every immediate 
reduct t' oft, A' h t' G S, then A' h t G S. 

(53) Whenever A' h t G S and A' C A", then A" h t G S. 

(54) Whenever A' h t G S and t' is a reduct oft, then A' h t' G S. 

3. If A is a type constructor of type Tlx .B.C in A, then Ca,a is the set of 
functions with the following properties: 

(a) If B is a kind, then 

• / G Ca.a is a function with domain {(A' h T, S) \ A' h T G 7a,b 

5" G Ca'.t} such that /(A' hT,S) e C A '.at, 

• /(A' hliSi) = /(A' h T 2) 5 2 ) whenever Tx< — >*T 2 . 

(b) If B is a type, then 

• / G Ca.a is a function with domain 7a, s smc/i t/iat /(A' h t) G Ca'.a*, 

• /(A' h ii) = f(A' h t 2 ) whenever t\ < >* t 2 . 

Compared to [8], we extended (S2) to neutral terms to take care of functions, 
and added (S4) to insure that reducibility candidates are stable by reduction. 

Definition 23 (Interpretation of algebraic types) Given a valid environ- 
ment A, we define the interpretation of algebraic types as follows: 

• cariA,s = {A' h a G SN As | if a — ?C(b) and r(C) = S\ s n s, 
then A' h &j G canA, Si for every i G [l..n]}, 

• can A , s ^t = {A' h a G T A!;5 ^t | V A" C A', V A" h 6 G can A , s , 
A" h ab G cartA, ti- 
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Let us justify the definition. Since >s is assumed to be well-founded, our 
hypothesis is that the definition makes sense for every algebraic type built from 
sorts strictly smaller than a given sort s. Let P be the set of subsets of SN A , S 
that contains all strongly normalizable terms that do not reduce to a term headed 
by a constructor of s. P is a complete lattice for set inclusion. Given an element 
X G P, we define the following function on algebraic types built from sorts 
smaller than s: Rx(s) — X, Rx(t) = can A ^ t and Rx{s — ► t) = cariA,s-»t- 
Now, let F : P — > P, X < — > X U Y where Y = {a G SN A , S | if a — ? C(b) 
and t(C) = si — > . . . — > s„ — > s then 6, € Rx(si) for every z G [l..n]}. Since 
inductive sorts are assumed to be positive, one can show that F is monotone. 
Hence, from Tarski's Theorem, it has a least fixed point cariA,s £ Ca,s- 

Definition 24 (Well-typed substitutions) Given two valid environments A 
and r, a substitution 9 is a well-typed substitution from T to A if dom{9) C 
rfom(l) and, /or every variable x 6 dom(r), A h x0:r(x)0. 

Definition 25 (Candidate assignments) Given two valid environments A 
and r , and a well-typed substitution 6 from T to A, a candidate assignment 
compatible with 9 is a function £ /rom Var n to £/ie set o/ saturated sets such 
that, for every variable a G dom(T) n Var D , £(a) £ Ca,«0- 

Compared to [8] where well-typed substitutions and candidate assignments 
are packaged together, we prefer to separate them since the former is introduced 
to deal with abstractions, while the latter is introduced to deal with polymor- 
phism. We are now ready to give the definition of the interpretation of theorems. 

Definition 26 (Interpretation of theorems) Given two valid environments 
A and T , a well-typed substitution 9 from T to A, and a candidate assignment 
£ compatible with 9, we define the interpretation of Y -theorems as follows: 

• [r h a\ At0A = sn Ai o, 

• [r h *]aa« = sn a ,„ 

• P h a] A ,e,« = f (a), 

• [r h Ax:T.T] A ,e,4 = the function which associates [r, x:t h r]A',e{a:^t},{ 
to every A' h i G T a ,t8, 

• [Th Aa:iT'.T]A,e,4 = the function which associates 

\r,a:K' h T] A '.6f{a^T'},£{a^S} 

to every (A' h T", 5) € {(A' hT',5) | A' h T' :K'8, A' D A, 5GC A ',r'} ; 

• [r h t *] Aifl)€ = [r h rj A ,fl,f(A h 

• [r h t tIa.9,4 = F i- t] Ai ^(a h re, jr h t"] aa? ) 

. [r h nx:r.A] A , 9 . ? = {A'hae TA.n^e.Ae | VA" D A', V A" h t G 

F h r] A »,e >S , A" h at G [r,x:r h A] A », e{ x^}, J, 
. [r h IlarKAJ^^ = {A' h a G T A ,na : Ke.Ae I VA" D A', V A" h T G 

[r h jqA",9, € , VS G C a »t, A" h aT G [I\ a:K h A] A „ e{QrtTU{QMS} }. 
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The last two cases correspond to the "stability by application" . The well- 
dcnnedness of this definition is insured by the following lemma. 

Lemma 27 (Interpretation correctness) Assume that A and T are two valid 
environments, 8 is a well-typed substitution from T to A, and £ is a candidate as- 
signment compatible with 9. Then, for every T -theorem A, [r h A]a,0,£ G Ca,as- 

We are now able to state the main lemma for the strong normalization theorem. 

Definition 28 (Reducible substitutions) Given two valid environments A 
and T , a well-typed substitution 9 from V to A, and a candidate assignment £ 
compatible with 9, 9 is said to be valid with respect to £ if, for every variable 
x G doro(r), A h x9 e [r h T(x)]A,e,i- 

Lemma 29 (Main lemma) Assume that T h a:b, A is a valid environment, 
9 is a well-typed substitution from T to A, and £ is a candidate assignment 
compatible with 9. If 9 is valid with respect to £ 7 then A h a9 £ [r h 6]a,#,£- 

Proof: As in [5], by induction on the structure of the derivation. We give 
only the additional cases. The case (cons) is straightforward. The case (fun) is 
proved by Theorem [33] to come for the case of higher-order function symbols, 
and by [18J for the case of first-order function symbols. □ 

Theorem 30 (Strong normalization) Assume that the higher-order rules sat- 
isfy the General Schema. Then, any well-typed term is strongly normalizable. 

Proof: Application of the Main Lemma, see [5] for details. 

3.2 Reductibility of higher-order function symbols 

One can see that the critical interpretation is not compatible with the reduc- 
tion relation, and not stable by substitution either. We solve this problem by 
using yet another interpretation function for terms enjoying both properties and 
relating to the previous one as follows: 

Definition 31 (Admissible recursive call interpretation) A recursive call 
interpretation for a function symbol f is given by: 

(i) a function operating on arguments of f , for each environment T , 

(ii) a status ordering >f tat/ where S is a set of orders indexed by Ind(f). 

A recursive call interpretation is admissible if it satisfies the following properties: 
(Stability) Assume that f{c') € CCf iT (c), hence <fif r (c) = c >f, r <fif r (c'), A is 
a valid environment, and 9 is a well-typed substitution from T to A such that 
59 are strongly normalizable terms. Then, ^/ A (c6*) >f tat/ $y A (c'#). 

(Compatibility) Assume that s is the output type of f , a and a' are two se- 
quences of strongly normalizable terms such that A h f(a) : s and a — fa'. 
Then, <Z> f Ja) >f tatf $ />A (a'). 
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The definition of the actual interpretation function, which is intricate, can 
be found in the full version of the paper. Before to prove the reducibility of 
higher-order function symbols, we need the following result. 

Lemma 32 (Compatibility of accessibility with reducibility) 

//Aha£ cemA,A and b G 7a. b is accessible in a, then A h b G canA,B- 

Theorem 33 (Reducibility of higher-order function symbols) 

Assume that the higher-order rules satisfy the General Schema. Then, for every 
higher-order function symbol f G T Sl s s , A h /(a) G can&. s provided that 
A h /(a) :s and A h a, G canA, Si for every i G [l..n]. 

Proof: The proof uses three levels of induction: on the function symbols 
ordered by >p, on the sequence of terms to which / is applied, and on the 
righthand side structure of the rules defining /. By induction hypothesis (1), 
any g occurring in the rules defining / satisfies the lemma. 

We proceed to prove that A h f(a) G canA, s by induction (2) on ($^ A (a),a) 
with (>f tot , ( — ?)i ex ) lex as well-founded order. Since b = f(a) is a neutral 
term, by definition of reducibility candidates, it suffices to prove that every 
rcduct b' of b belongs to can^.s- 

If b is not reduced at its root then one a* is reduced. Thus, b' = f(a') 
such that a — > a'. As reducibility candidates are stable by reduction, A h a! i G 
can^sa hence the induction hypothesis (2) applies since the interpretation is 
compatible with reductions. 

If b is reduced at its root then a = c9 and b' = e9 for some terms c, e 
and substitution 9 such that f(c) — > e is the applied rule. 9 is a well-typed 
substitution from Tr to A, and £ is compatible with 9 since dom(Tn) n Var n = 0. 
We now show that 9 is compatible with £. Let a; be a free variable of e of type 
t. By definition of the General Schema, x is an accessible subterm of c. Hence, 
by Lemma l32l A h x9 G can& tt since, for every i G A h C{9 G can&_ Si . 

Given an algebraic environment T containing r^, let us show by induction (3) 
on the structure of e G CCf tT (c) that, for any well-typed substitution 9 from T 
to A compatible with £, e9 G can& t , provided that Ci9 G can / \ Si for every 
i G [l..n]. 

Base case: either e is accessible in a, or e is a variable of dom(T) \ FV(c). In 
the first case, this results from Lemma [32l and in the second case, this results 
from the fact that 9 is compatible with £. Now, let us go through the different 
closure operations of the definition of CC/. r (). 

(i) construction: e = C(ei, . . . , e p ) and t(C) = t\ — > . . . — > t, p — > t. e0 G cariA,t 
since, by induction hypothesis (3), G can^^ ti - 

(ii) defined application: e = g(ei, . . . , e p ) with r(g) = ti — > . . . — > i p — > i and 
.9 <J^ /• By induction hypothesis (3), C{9 G can^ tti . Hence, e9 G coriA,t, 
by |18j for first-order function symbols, or by induction hypothesis (1) for 
higher-order ones, since g <jr /. 

(iii) application: e — u v. e9 G can/\,t since, by induction hypothesis (3), 
u9 G canA,t'-tt and v9 G canA.t>- 



14 



(iv) abstraction: e = \x:t\.u and t = t\ — > t% such that r,a::ii h it : £2- Let 
t> G cariA,*!- By induction hypothesis (3), it^jxt-^w} G can^ tX . tl ^ 2 - Hence, 
(Xx:ti.u6)v G canA,x:*i,t 2 an d e# G cariA.t- 

(v) reduction: e is a reduct of a term u G CCf tV (c). Since r h u:t, by induction 
hypothesis (3), u9 G can^j. Since reducibility candidates are stable by 
reduction, ed G can&_ t - 

(vi) admissible recursive call: e = /(<?) and <t>f, T {c) = c >f, r 0/, r (c'). The 
induction hypothesis (1) applies since the interpretation is stable. □ 

This achieves the proof of the strong normalization property. 

4 Conclusion and future work 

We have defined an extension of the Calculus of Constructions by higher-order 
rewrite rules defining uncurried function symbols via the so called General 
Schema [3] , which will allow a smooth integration in proof assistants like Coq, 
of function definitions by pattern-matching on the one hand, and decision pro- 
cedures on the other hand. This result extends previous work by Barbanera 
et al. pP, by allowing for non-dependent and non-polymorphic inductive types. 
In our strong normalization proof based on Girard's reducibility candidates, we 
have indeed used a powerful generalization of the General Schema, of which 
the recursors for strictly positive inductive types are an instance, which is an 
important step of its own. 

Several problems need to be solved to achieve our program, that is to extend 
the Coq proof assistant [3] with rewriting facilities. Firstly, to generalize our 
results to arbitrary positive inductive types, for which the type being defined 
may occur at any positive position of the argument types of its constructors. 
Secondly, to extend the results to dependent and polymorphic inductive types 
as defined by Coquand and Paulin in |10) . This is indeed the same problem, of 
defining and proving a generalization of the schema. Thirdly, to allow rewriting 
at the type level, enabling one to define types by induction. The corresponding 
recursor rules are called strong elimination [22] . We have already preliminary 
results in the latter two directions. Lastly, to accommodate the 77-rule. By 
following [12j . we plan to try the use of the 77-rule as an expansion, instead 
of as a reduction. In this context, it would also be interesting to see to which 
extent the works by Nipkow [20] and Klop [T9] on higher-order rewriting systems 
could be integrated in our framework. Fourthly, following |13j . we also want to 
introduce modules in our calculus to be able to develop libraries of reusable 
parameterized proofs. 

Acknowledgements: We want to thank Maribel Fernandez for her careful 
reading, and the useful remarks by the anonymous referees. 
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